add tests and update messageExpression

Signed-off-by: Rita Zhang <[email protected]>
open-policy-agent · Sep 12, 2024 · 0a7d73d · 0a7d73d
1 parent 132e61c
commit 0a7d73d
Show file tree

Hide file tree

Showing 13 changed files with 346 additions and 30 deletions.
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/artifacthub-pkg.yml
@@ -3,7 +3,7 @@ name: k8spspforbiddensysctls
 displayName: Forbidden Sysctls
 createdAt: "2024-07-05T17:47:31Z"
 description: Controls the `sysctl` profile used by containers. Corresponds to the `allowedUnsafeSysctls` and `forbiddenSysctls` fields in a PodSecurityPolicy. When specified, any sysctl not in the `allowedSysctls` parameter is considered to be forbidden. The `forbiddenSysctls` parameter takes precedence over the `allowedSysctls` parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
-digest: c34167b32bcd5b55b48a68614ad4b20cd26294d17be559738f01735ab719f621
+digest: 6e64cb0e325f6894b153216cc2f1b30f2ea4de6d62dced4f7b59209207394ce3
 license: Apache-2.0
 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/forbidden-sysctls
 keywords:

diff --git a/...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml b/...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint3.yaml
@@ -12,4 +12,4 @@ spec:
     # - "*" # * may be used to forbid all sysctls
     - kernel.*
     allowedSysctls:
-    - "net.*" # allows all sysctls. allowedSysctls is optional.
+    - "net.*"
diff --git a/...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml b/...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint4.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden
diff --git a/...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml b/...od-security-policy/forbidden-sysctls/1.2.0/samples/psp-forbidden-sysctls/constraint5.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    # unspecified allowedSysctls will not place any restrictions
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/suite.yaml
@@ -19,15 +19,15 @@ tests:
         object: samples/psp-forbidden-sysctls/update.yaml
         assertions:
           - violations: no
-  - name: forbidden-sysctls2
+  - name: forbidden-sysctls-wildcard
     template: template.yaml
     constraint: samples/psp-forbidden-sysctls/constraint2.yaml
     cases:
       - name: example-disallowed
         object: samples/psp-forbidden-sysctls/example_disallowed.yaml
         assertions:
           - violations: yes
-      - name: example-allowed
+      - name: example-disallowed
         object: samples/psp-forbidden-sysctls/example_allowed.yaml
         assertions:
           - violations: yes
@@ -51,3 +51,35 @@ tests:
         object: samples/psp-forbidden-sysctls/update.yaml
         assertions:
           - violations: no
+  - name: forbidden-sysctls4-empty-allowedSysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint4.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
+  - name: forbidden-sysctls5-unspecified-allowedSysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint5.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
diff --git a/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml b/artifacthub/library/pod-security-policy/forbidden-sysctls/1.2.0/template.yaml
@@ -43,6 +43,8 @@ spec:
       - engine: K8sNativeValidation
         source:
           variables:
+          - name: isUpdate
+            expression: has(request.operation) && request.operation == "UPDATE"
           - name: sysctls
             expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
           - name: allowedSysctlPrefixes
@@ -59,19 +61,20 @@ spec:
             expression: |
               !has(variables.params.forbiddenSysctls) ? [] : 
                 variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*"))
-          - name: allAllowed
-            expression: '!has(variables.params.allowedSysctls) ? true : false'
+          - name: allowedSysctlsString
+            expression: |
+              !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
           - name: violatingSysctls
             expression: |
               (variables.sysctls.filter(sysctl,
                 (sysctl.name in variables.forbiddenSysctlExplicit ||
                 variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
-                (!variables.allAllowed &&
+                (has(variables.params.allowedSysctls) &&
                 !(sysctl.name in variables.allowedSysctlExplicit) &&
                 !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
           validations:
-          - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0'
-            messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")'
+          - expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0'
+            messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'
       - engine: Rego
         source:
           rego: |

diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint3.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint3.yaml
@@ -12,4 +12,4 @@ spec:
     # - "*" # * may be used to forbid all sysctls
     - kernel.*
     allowedSysctls:
-    - "net.*" # allows all sysctls. allowedSysctls is optional.
+    - "net.*"
diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint4.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    allowedSysctls: [] # empty allowedSysctls means all sysctls are forbidden
diff --git a/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml b/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/constraint5.yaml
@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPForbiddenSysctls
+metadata:
+  name: psp-forbidden-sysctls
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    forbiddenSysctls:
+    # - "*" # * may be used to forbid all sysctls
+    - kernel.*
+    # unspecified allowedSysctls will not place any restrictions
diff --git a/library/pod-security-policy/forbidden-sysctls/suite.yaml b/library/pod-security-policy/forbidden-sysctls/suite.yaml
@@ -19,15 +19,15 @@ tests:
         object: samples/psp-forbidden-sysctls/update.yaml
         assertions:
           - violations: no
-  - name: forbidden-sysctls2
+  - name: forbidden-sysctls-wildcard
     template: template.yaml
     constraint: samples/psp-forbidden-sysctls/constraint2.yaml
     cases:
       - name: example-disallowed
         object: samples/psp-forbidden-sysctls/example_disallowed.yaml
         assertions:
           - violations: yes
-      - name: example-allowed
+      - name: example-disallowed
         object: samples/psp-forbidden-sysctls/example_allowed.yaml
         assertions:
           - violations: yes
@@ -51,3 +51,35 @@ tests:
         object: samples/psp-forbidden-sysctls/update.yaml
         assertions:
           - violations: no
+  - name: forbidden-sysctls4-empty-allowedSysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint4.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
+  - name: forbidden-sysctls5-unspecified-allowedSysctls
+    template: template.yaml
+    constraint: samples/psp-forbidden-sysctls/constraint5.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/psp-forbidden-sysctls/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/psp-forbidden-sysctls/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: update
+        object: samples/psp-forbidden-sysctls/update.yaml
+        assertions:
+          - violations: no
diff --git a/library/pod-security-policy/forbidden-sysctls/template.yaml b/library/pod-security-policy/forbidden-sysctls/template.yaml
@@ -43,6 +43,8 @@ spec:
       - engine: K8sNativeValidation
         source:
           variables:
+          - name: isUpdate
+            expression: has(request.operation) && request.operation == "UPDATE"
           - name: sysctls
             expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
           - name: allowedSysctlPrefixes
@@ -59,19 +61,20 @@ spec:
             expression: |
               !has(variables.params.forbiddenSysctls) ? [] : 
                 variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*"))
-          - name: allAllowed
-            expression: '!has(variables.params.allowedSysctls) ? true : false'
+          - name: allowedSysctlsString
+            expression: |
+              !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
           - name: violatingSysctls
             expression: |
               (variables.sysctls.filter(sysctl,
                 (sysctl.name in variables.forbiddenSysctlExplicit ||
                 variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
-                (!variables.allAllowed &&
+                (has(variables.params.allowedSysctls) &&
                 !(sysctl.name in variables.allowedSysctlExplicit) &&
                 !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
           validations:
-          - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0'
-            messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")'
+          - expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0'
+            messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'
       - engine: Rego
         source:
           rego: |

diff --git a/src/pod-security-policy/forbidden-sysctls/src.cel b/src/pod-security-policy/forbidden-sysctls/src.cel
@@ -1,4 +1,6 @@
 variables:
+- name: isUpdate
+  expression: has(request.operation) && request.operation == "UPDATE"
 - name: sysctls
   expression: '!has(variables.anyObject.spec.securityContext) ? [] : !has(variables.anyObject.spec.securityContext.sysctls) ? [] : variables.anyObject.spec.securityContext.sysctls'
 - name: allowedSysctlPrefixes
@@ -15,16 +17,17 @@ variables:
   expression: |
     !has(variables.params.forbiddenSysctls) ? [] : 
       variables.params.forbiddenSysctls.filter(sysctl, !sysctl.endsWith("*"))
-- name: allAllowed
-  expression: '!has(variables.params.allowedSysctls) ? true : false'
+- name: allowedSysctlsString
+  expression: |
+    !has(variables.params.allowedSysctls) ? "unspecified" : size(variables.params.allowedSysctls) == 0 ? "empty" : variables.params.allowedSysctls.join(", ")
 - name: violatingSysctls
   expression: |
     (variables.sysctls.filter(sysctl,
       (sysctl.name in variables.forbiddenSysctlExplicit ||
       variables.forbiddenSysctlPrefixes.exists(fsp, string(sysctl.name).startsWith(fsp))) ||
-      (!variables.allAllowed &&
+      (has(variables.params.allowedSysctls) &&
       !(sysctl.name in variables.allowedSysctlExplicit) &&
       !variables.allowedSysctlPrefixes.exists(asp, string(sysctl.name).startsWith(asp)))))
 validations:
-- expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.violatingSysctls) == 0'
-  messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.forbiddenSysctls.map(c, c).join(", ") + ", allowed: " + variables.allowedSysctls.map(c, c).join(", ")'
+- expression: 'variables.isUpdate || size(variables.violatingSysctls) == 0'
+  messageExpression: '"The sysctl is not allowed for pod: " + variables.anyObject.metadata.name + ", forbidden: " + variables.params.forbiddenSysctls.join(", ") + ", allowed: " + variables.allowedSysctlsString'